Fastest way to crack password-protected Microsoft Office documents - doc files and Excel spreadsheets

1) Microsoft Office files are password protected to prevent tampering and data integrity. But the protected documents of earlier versions of the Office are vulnerable to extracting their hashes with a simple program called office2john. The hashes thus obtained can be cracked using John the Ripper and Hashcat.

>  It takes just a couple of seconds to extract the hash from the password-protected Microsoft Office file using office2john . Despite the fact that the encryption standards in various Office products have changed over the years, none of them can resist the extraction of hashes using office2john.
> This utility is written in Python and can be run directly from the terminal. As for compatibility with Office files, it is known that office2john works with any password-protected Word, Excel, PowerPoint, OneNote, Project, Access, and Outlook files created in Office 97, Office 2000, Office XP, Office 2003, Office 2007, Office 2010 and Office 2013, including versions of Office for Mac. It may not work with newer versions of Office, but we saved the .docx file in Office 2016 by marking it as an Office 2013 file.



1)  Install Office2John
First, we need to download this utility from GitHub, since office2john is not included in the standard version of John the Ripper (which must already be installed on your Kali system). You can download it using wget.

wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py

2) -  https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.148.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 131690 (129K) [text/plain]
Saving to: ‘office2john.py’

office2john.py                        100%[=======================================================================>] 128.60K  --.-KB/s    in 0.09s

>  (1.45 MB/s) - ‘office2john.py’ saved [131690/131690]

2)  Make sure everything is in the same directory
To start office2john using Python, we need to go to the directory in which it was installed. By default, for most of you, this will be the Home directory (just type cd in the console), but you can create any other directory.

3) For our tests you will need a suitable file. We will use a simple .docx file called “dummy.docx”, which we created using Word 2007 and password protected it. Download it to have something to work with. The password for the file is “password123”, however, you will recognize it already. You can also download documents created in Word 2010 and (which appears to be created in Word 2013). The password for them is the same - “password123”.

4)  Get the hash using Office2john
The first thing to do is to extract the hash of our secure Office file. Run the following command and write the output to the hash.txt file, which we will use a little later.

5) python office2john.py dummy.docx > hash.txt
To verify that the hash was successfully retrieved, use the cat command. We see that the saved hash corresponds to Microsoft Office 2007. Great!

cat hash.txt
dummy.docx:$office$*20*128*16*a7c7a4eadc2d90fb22c073c6324b6b49*abc5f80409f5f96f97e184e44aacd0b7*930b0c48a7eb5e13a57af4f3030b48e9402b6870

5) Hack the hash you just saved
We show two ways to crack the hash of the protected Microsoft Office file that you just saved. Both methods work great, so choose the one you like best.

Option 1: Hack with John the Reaper
Set the –wordlist flag and pass the path to your favorite wordlist into it. The wordlist that is included in Nmap is perfect for our purposes, but for more complex passwords you should use a more detailed wordlist.

john --wordlist=/usr/share/wordlists/nmap.lst hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 SSE2 4x / SHA512 128/128 SSE2 2x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
John will begin to crack, and depending on the complexity of the password, he will finish work when he finds a match. To view the current status of the process, press any key. When the hash is cracked, a message with the password from the document will appear on the screen. Since our password was very simple, it took only a few seconds to crack it.

password123      (dummy.docx)
1g 0:00:00:03 DONE (2019-02-05 15:00) 0.2824g/s 415.8p/s 415.8c/s 415.8C/s lacoste..cooldude
Use the "--show" option to display all of the cracked passwords reliably





Enjoy! Follow us for more...